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Abstract. In Bounded Model Checking both the system model and the checked 
property are translated into a Boolean formula to be analyzed by a SAT-solver. 
We introduce a new encoding technique which is particularly optimized for man- 
aging quantitative future and past metric temporal operators, typically found in 
properties of hard real time systems. The encoding is simple and intuitive in prin- 
ciple, but it is made more complex by the presence, typical of the Bounded Model 
Checking technique, of backward and forward loops used to represent an ulti- 
mately periodic infinite domain by a finite structure. We report and comment on 
the new encoding technique and on an extensive set of experiments carried out to 
assess its feasibility and effectiveness. 

Keywords: Bounded model checking, metric temporal logic. 

1 Introduction 

In Bounded Model Checking [1] a system under analysis is modeled as a finite-state 
transition system and a property to be checked is expressed as a formula in temporal 
logic. The model and the property are both suitably translated into boolean logic formu- 
lae, so that the model checking problem is expressed as an instance of a SAT problem, 
that can be solved efficiently thanks to the significant improvements that occurred in 
recent years in the technology of the SAT-solver tools [12,3]. Infinite, ultimately pe- 
riodic temporal structures that assign a value to every element of the model alphabet 
are encoded through a finite set of boolean variables, and the cyclic structure of the 
time domain is encoded into a set of loop selector variables that mark the start and end 
points of the period. As it usually occurs in a model checking framework, a (bounded) 
model-checker tool can either prove a property or disprove it by exhibiting a counter 
example, thus providing means to support simulation, test case generation, etc. 

In previous work [13], we introduced techniques for managing bi-infinite time in 
bounded model checking, thus allowing for a more simple and systematic use of past 
operators in Linear Temporal Logic. In [14, 15], we took advantage of the fact that, in 
bounded model-checking, both the model and the formula to be checked are ultimately 
translated into boolean logic. This permits to provide the model not only as a state- 
transition system, but, alternatively, as a set of temporal logic formulae. We call this a 
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descriptive model, as opposed to the term operational model used in case it consists of 
a state-transition system. The descriptive model is much more readable and concise if 
the adopted logic includes past and metric temporal operators, allowing for a great flex- 
ibility in the degree of detail and abstraction that the designer can adopt in providing the 
system model. The model-checking problem is reduced to the problem of satisfiability 
for a boolean formula that encodes both the modeled system and its conjectured prop- 
erty to be verified, hence the name Bounded Satisfiability Checking that we adopted for 
this approach. 

In this paper we take a further step to support efficient Bounded Satisfiability- and 
Bounded Model-checking by introducing a new encoding technique that is particularly 
efficient in case of temporal logic formulae that contain time constants having a high 
numerical value. 

In previous approaches [2, 13-15] the operators of temporal logic that express in 
a precise and quantitative way some timing constraints were encoded by (rather in- 
efficiently) translating them into combinations of non-metric Linear Temporal Logic 
operators. For instance, the metric temporal logic formula 0=dP, which asserts that 
property P holds at d time units in the future (w.r.t the implicit present time at which 
the formula is asserted) would be translated into d nested applications of the LTL next- 
time operator, o d P, and then encoded as a series of operator applications, with obvious 
overhead. 

The new encoding for the metric operators translates the time constants in a way that 
makes the resulting boolean formula much more compact, and the verification carried 
out by the SAT solver-based tools significantly faster. 

Thus our technique can be usefully applied to all cases where temporal logic for- 
mulae that embed important time constants are used. This is both the case of Bounded 
Satisfiability Checking, where the system model is expressed as a (typically quite large) 
set of metric temporal logic formulae, and also of more traditional Bounded Model 
Checking, when the model of the system under analysis is provided by means of a 
state transition system but one intends to check a hard real-time property with explicit, 
quantitatively stated timing constraints. 

The paper is structured as follows. In Section 2 we provide background and mo- 
tivations for our work. Section 3 introduces the new metric encoding and analyzes its 
main features and properties. Section 4 provides an assessment of the new encoding 
by reporting the experimental results obtained on a set of significant benchmark case 
studies. Finally, in Section 5 we draw conclusions. 

2 Preliminaries 

In this section, to make the paper more readable and self-contained, we provide back- 
ground material on Metric Temporal Logic and bi-infinite time, on Boundel Model- and 
Satisfiability-Checking, and on the Zot toolkit. 

2.1 A metric temporal logic on bi-infinite time 

We first recall here Linear Temporal Logic with past operators (PLTL), in the version 
introduced by Kamp [8], and next extend it with metric temporal operators. 
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Syntax of PLTL The alphabet of PLTL includes: a finite set Ap of propositional let- 
ters; two propositional connectives -■, V (from which other traditional connectives such 
as T,_L,-i,V,A, may be defined); four temporal operators (from which other 

temporal operators can be derived): "until" U, "next-time" o, "since" S and "past-time" 
(or Yesterday) , •. Formulae are defined in the usual inductive way: a propositional 
letter p e Ap is a formula; -«f>, <p V -0, (jdAij), o0, cf)Sip, where <p, ip are formulae; 
nothing else is a formula. 

The traditional "eventually" and "globally" operators may be defined as: ()(f) is 
TU(f>, Dip is -i<)-i<j!). Their past counterparts are: is TS(f>, M<fi is ->+-«(>. Another 
useful operator for PLTL is "Always" Alw, defined as Alw <p := U<f> A ■</>. The in- 
tended meaning of Alw <j> is that (f> must hold in every instant in the future and in the 
past. Its dual is "Sometimes" Som <f) defined as -^Alw^(j>. 

The dual operators of Until and Since, i.e., "Release" 1Z: 4>lZip is ^(^<$J^il>), and, 
respectively, "Trigger" T: (f>Tip is -i(-i0S-i^>), allow the convenient positive normal 
form: Formulae are in positive normal form if their alphabet is {A, \Z,U,1Z, o,<S, •, T}U 
Ap U Ap, where Ap is the set of formulae of the form -^p for p S Ap. This form, where 
negations may only occur on atoms, is very convenient when defining encodings of 
PLTL into propositional logic. Every PLTL formula <p on the alphabet {-i, V, U, o, S, »}U 
Ap may be transformed into an equivalent formula </>' in positive normal form. 

For the sake of brevity, we also allow n-ary predicate letters (with n > 1) and the 
V, 3 quantifiers as long as their domains are finite. Hence, one can write, e.g., formulae 
of the form: 3p gr(p), with p ranging over {1,2, 3} as a shorthand for V p e{i 2 3} § r p- 

Semantics of PLTL In our past work [13], we have introduced a variant of bounded 
model checking where the underlying, ultimately periodic timing structure was not 
bounded to be infinite only in the future, but may extend indefinitely also towards the 
past, thus allowing for a simple and intuitive modeling of continuously functioning sys- 
tems like monitoring and control devices. In [14], we investigated the performance of 
verification in many case studies, showing that tool performance on bi-infinite struc- 
tures is comparable to that on mono-infinite ones. Hence adopting a bi-infinite notion 
of time does not impose very significant penalties to the efficiency of bounded model 
checking and bounded satisfiability checking. Therefore, in what follows, we present 
only the simpler bi-infinite semantics of PLTL. Each experiment of Section 4 use either 
bi-infinite time (when there are past operators) or mono-infinite time (typically, when 
there are only future operators). 

A bi-infinite word S over alphabet 2 Ap (also called a Z-word) is a function S : 
Z — ► 2 Ap . Hence, each position j of 5, denoted by Sj, is in 2 a p for every j. Word S 
is also denoted as . . . S-1S0S1 The set of all bi-infinite words over 2 Ap is denoted 

by {2 A Pf. 

For all PLTL formulae (f>, for all S G (2 j4p ) z , for all integer numbers i, the satisfac- 
tion relation S, i |= (f> is defined as follows. 
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S, i \= p, p e Si, for p e Ap 

s, i \= -^4> < i=^ > s, i y= 4> 

S, i \= (f> V V <=> S, i \= (p or S, i \= ip 
S,i\=o<p -i=> S,i + 1 \= <t> 

S, i \= (tMip 4=^ 3k>0\S : i + k\=tj),&TidS,i + i\=(t>'iO<j<k 
S, i \= •4> S, i — 1 \= 4> 

S, i \= 4>S^ 3k > | S, i - k \= ip, and S, i - j \= <\> VO < j < k 

Metric temporal operators Metric operators are very convenient for modeling 
hard real time systems, with quantitative time constraints. The operators introduced in 
this section do not actually extend the expressive power of PLTL, but may lead to more 
succinct formulae. Their semantics is defined by a straightforward translation r into 
PLTL. 

Let {<, =, >}), and c be a natural number. We consider here two metric op- 
erators, one in the future and one in the past: the bounded eventually O~ c 0, and its 
past counterpart ♦^ c </>. The semantics of the future operators is the following (the past 
versions are analogous): 

r(O=o0) := <\> 

T(O =t 0) := oT(Q= t _i4>), for t > 
r(O<o0) := <t> 

T(0<t<t>) ■= <j> V oT(Q< t -nft), for t > 
r(O> o 0) := 00 

r{0>t4>) ■= or(O>t-i0),fort>O 

Versions of the bounded operators with {<, >} may be introduced as a short- 
hand. For instance, 0>o^ stands for o()> cf). Other two dual operators are "bounded 
globally": CL c </> is -■0~c _1< ^> an d i ts P ast counterpart is M^ c <p, which is defined as 

Other metric operators are commonly introduced as primitive, such as bounded ver- 
sions of U and S (see e.g. [13]), and then the bounded eventually operators are derived 
from them. In our experience, however, the four operators above are much more com- 
mon in specifications, therefore we chose to implement them as native and leave the 
others as derived. 

Notice that dual w.r.t. negation of metric past operators, together with •, must be 
introduced for mono-infinite temporal structures, to take into account the possibility of 
referring to instants outside the temporal domain. In the rest of the paper we will assume 
the temporal domain bi-infinite. The complete mono-infinite encoding is presented in 
the appendix. 

2.2 Bounded Model Checking vs. Bounded Satisfiability Checking 

The traditional approach to verification of finite state systems is based on building an 
operational model of the system to be analyzed, i.e., a set of clauses that constrain the 
transition of the system from a state valid in one given instant, the current state, to the 
next state, reached by the modeled system in the successive time instants. The property 
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to be checked, however, is expressed with a different formalism, namely as a formula 
in temporal logic. Model checking tools, such as bounded model checkers like SMV, 
take these two descriptions as input and check whether the property is verified on the 
system, or compute a counterexample. 

However, often systems may be described using a complementary style of mod- 
eling, called the descriptive approach This is based on the idea of characterizing the 
modeled system through its fundamental properties, described by means of temporal 
logic formulae on an alphabet of items that correspond to the interface of the system 
with the external world, without considering any possible further internal components 
that might be necessary for its functioning. Such formulae are not constrained in any 
way in their form: they may refer to any time instant, possibly relating actions and 
events occurring at any arbitrary distance in time, or they may constrain values and 
behaviors for arbitrarily long time intervals. 

Hence, in the descriptive approach both the system under analysis and the property 
to be checked are expressed in a single uniform notation as formulae of temporal logic. 
In this setting, which we called bounded satisfiability checking (BSC [13]), the system 
under analysis is characterized by a formula <j> (that in all non-trivial cases would be 
of significant size) and the additional property to be checked (e.g. a further desired 
requirement) is expressed as another (usually much smaller) formula ip. A bounded 
model checker in this case is used to prove that any implementation of the system 
under analysis possessing the assumed fundamental properties <t> would also ensure the 
additional property ip; in other terms, the model checker would prove that the formula 
— > V is valid, or equivalently that its negation is not satisfiable (hence the term 
satisfiability checking). 

Satisfiability verification is very useful, in its simplest form, as a means for per- 
forming a sort of testing [4] or sanity check of the specification [11, 16], or to prove 
properties of correct implementation [15] or, more generally, it allows the designer to 
perform System Requirement Analysis [5]. The adoption of a descriptive style in mod- 
eling a system under analysis is made possible by the use of Metric Temporal Logic 
(because formulae might refer to arbitrarily far-away time instant or to arbitrarily long 
time intervals) and require the adoption of verification methods and tools, like the ones 
introduced in the present work, that deal efficiently with the important time constants 
that are typically present in the specification formulae. 

Example of descriptive vs. operational models: a timed lamp As a simplest ex- 
ample of the above introduced concepts we consider the so-called timer-reset-lamp 
(TRL). The lamp has two buttons, ON and OFF: when the ON button is pressed the 
lamp is lighted and it may remain so, if no other event occurs, for A time units (t.u.), 
after which it goes off spontaneously. The lighting of the lamp can be terminated by a 
push of the OFF button, or it can be extended by further A t.u. by a new pressure of the 
ON button. To ensure that the pressure of a button is always meaningful, it is assumed 
that ON and OFF cannot be pressed simultaneously. 

A descriptive model of TRL is based on the following three propositional letters: L 
(the light is on), ON (the button to turn it on is pressed), and OFF (the button to turn it 
off is pressed). The descriptive model consists of the following axiom: 

Alw (-i (ON A OFF) A (L ^ 3a; (0 <x<AA+ =x ON A ^ <x OFF))) 
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which expresses the mutual exclusion between the pressing of the ON and OFF but- 
tons, and states that the lamp is on (at the current time) if and only if the ON button 
was pressed not more than A time units ago and since then the OFF button was never 
pressed. Since the axiom is enclosed in a universal temporal quantification (an Alw 
operator), it must hold for all instants of the temporal domain. This descriptive model, 
despite its simplicity and succinctness, characterizes completely the TRL system: start- 
ing from it, one can generate valid histories for the system, or one can (dis)prove (con- 
jectured) properties. 

We now show how an operational model for the TRL system can be provided. As 
mentioned above, the idea is to define, for each instant, the next system state based on 
the current state and, possibly, of the stimuli coming, still at the current time, from the 
environment. A brief reflection shows however that the current state of the TRL system 
is not completely characterized by the value of predicate letter L; e.g., if at a given time 
the lamp is on and no button is pressed, this does not imply that the lamp will still be on 
at the next time instant, since this obviously depends on the time that has elapsed from 
the last press action on the ON button. To model explicitly this component of the state 
it is therefore necessary to introduce a further element in the alphabet of the model: a 
counter variable ranging in the interval [0 . . . A] to store exactly this information. 

With this addition the definition of the operational model, using any of the notations 
adopted in traditional model checkers, like NuSMV or Spin, becomes an easy exercise, 
which is not reported here for the sake of brevity. 

Clearly, an operational model provides a complete and unambiguous characteriza- 
tion of the TRL system, as well as the descriptive model. 

2.3 The Zot toolkit 

Zot is an agile and easily extendible bounded model checker, which can be down- 
loaded at http://home.dei.polimi.it/pradella/, together with the case studies and results 
described in Section 4. Zot provides a simple language to describe both descriptive 
and operational models, and to mix them freely. This is possible since both models 
are finally to be translated into boolean logic, to be fed to a SAT solver (Zot supports 
various SAT solvers, like MiniSat [3], and MiraXT [10]). The tool supports different 
logic languages through a multi-layered approach: its core uses PLTL, and on top of 
it a decidable predicative fragment of TRIO [6] is defined (essentially, equivalent to 
Metric PLTL). An interesting feature of Zot is its ability to support different encodings 
of temporal logic as SAT problems by means of plugins. This approach encourages ex- 
perimentation, as plugins are expected to be quite simple, compact (usually around 500 
lines of code), easily modifiable, and extendible. 
Zot offers two basic usage modalities: 

1. Bounded satisfiability checking (BSC): given as input a specification formula, the 
tool returns a (possibly empty) history (i.e., an execution trace of the specified sys- 
tem) which satisfies the specification. An empty history means that it is impossible 
to satisfy the specification. 

2. Bounded model checking (BMC): given as input an operational model of the system 
and a property, the tool returns a (possibly empty) history (i.e., an execution trace 
of the specified system) which satisfies it. 
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The provided output histories have temporal length < k, the bound k being chosen 
by the user, but may represent infinite behaviors thanks to the encoding techniques 
illustrated in Section 3. The BSC/BMC modalities can be used to check if a property 
prop of the given specification spec holds over every periodic behavior with period 
< k. In this case, the input file contains spec A ^prop, and, if prop indeed holds, then 
the output history is empty. If this is not the case, the output history is a counterexample, 
explaining why prop does not hold. 

3 Encoding of metric temporal logic 

We describe next the encoding of PLTL formulae into boolean logic, whose result in- 
cludes additional information on the finite structure over which a formula is interpreted, 
so that the resulting boolean formula is satisfied in the finite structure if and only if the 
original PLTL formula is satisfied in a (finite or possibly) infinite structure. For sim- 
plicity, we present a variant of the bi-infinite encoding originally published in [13], and 
then introduce metric operators on it. Indeed, when past operators are introduced over 
a mono-infinite structure (e.g., [2]), however, the encoding can be tricky to define, be- 
cause of the asymmetric role of future and past: future operators do extend to infinity, 
while past operators only deal with a finite prefix. The reader may refer to [13], and [14] 
for a more thorough comparison between mono- and bi-infinite approaches to bounded 
model checking. 



For brevity in the following we call state Si the set of assignments of truth values to 
propositional variables at time i. The idea on which the encoding is based is graphically 
depicted in Figure 1 . A ultimately periodic bi-infinite structure has a finite representa- 
tion that includes a non periodic portion, and two periodic portions (one towards the 
future, and one towards the past). The interpreter of the formula (in our case, the SAT 
solver), when it needs to evaluate a formula at a state beyond the last state Sk, will 
follow the "backward link" and consider the states Si, Sj+i, ... as the states following 
Sk- Analogously, to evaluate a formula at a state precedent to the first state So, it will 
follow the "forward link" and consider the states S' l7 SV-i, ... as the states preceding 



The encoding of the model (i.e. the operational description of the system, if any) is 
standard - see e.g. [2]. In the following we focus on the encoding of the logic part <P of 
the system (or its properties). 

Let <P be a PLTL formula. Its semantics is given as a set of boolean constraints over 
the so called formula variables, i.e., fresh unconstrained propositional variables. There 
is a variable \ [(fi]\i for each subformula <f> of <P and for each instant < i < k+ 1 (instant 
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Fig. 1. A bi-infinite bounded path. 
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k + 1, which is not explicitly shown in Figure 1, has a particular role in the encoding, 
as we will show next). 

First, one needs to constrain the propositional operators in <P. For instance, if <pi A0 2 
is a subformula of <P, then each variable | [<f>i A 02]U must be equivalent to the conjunc- 
tion of variables \ [<fii]\i and | [0 2 ] | j. 

Propositional constraints, with p denoting a propositional symbol: 



4> 


< 


i < k 


p 


M\i *= 


=> p6 Si 


->p 


\hp\U « 


P^S t 


01 A 02 


|[0iA0 2 ]|, ^= 




0i v 4> 2 


|[0i v ^ 2 ]U *= 





The following formulae define the basic temporal behavior of future PLTL opera- 
tors, by using their traditional fixpoint characterizations. 
Temporal subformulae constraints: 






-1 < i < k 


°01 








(j>\U4>2 




IWIiVdMI.AH 


0iW0 2 ]|i+i) 


01 72-02 


\ltiKfoj\i 


IWIiAdMI.VH 


017t!.0 2 ]li+l) 



(1) 



< i < k+ 1 



nSfo \l<f>iSfo}U <=^ |[^ 2 ]U V (|[^>i]U A |[0i«S0 2 ]U-i) 
^T^ \[<hT<h]\i |[0 2 ]|i A (|[0i]|i V |[</>iT0 2 ]|i-i) 

Notice that such constraints do not consider the implicit eventualities that the def- 
initions of U and S impose (they treat them as the "weak" until and since operators), 
nor consider loops in the time structure. 

To deal with eventualities and loops, one has to encode an infinite structure into a 
finite one composed of k + 1 states So, Si, ... Sk- The "future" loop can be described 
by means of other k + 1 fresh propositional variables Iq, l\, . . . Ik, called loop selector 
variables. At most one of these loop selector variables may be true. If k is true then 
state Si-i = Sk, i.e., the bit vectors representing the state Si-i are identical to those 
for state Sk. Further propositional variables, InLoop^ (0 < i < k) and LoopExists, 
respectively mean that position i is inside a loop and that a loop actually exists in the 
structure. Symmetrically, there are new loop selector variables l\ to define the loop 
which goes towards the past, and the corresponding propositional letters InLoop^, and 
LoopEsists'. 

The variables defining the loops are constrained by the following set of formulae. 
Loop constraints: 



Base 



1 < i < k 



-<lo A ^IriLoop A -<l k A ^InLoop'^ 



(li => Si-i = Sk) A (InLoop i -^=^> InLoop^ V U) 
(InLoop^j => -iZj) A (LoopExists InLoop fc ) 



(InLoop' i+1 



S ) A (InLoop' 4 InLoop' t+1 V l' t ) 

— A (LoopExists' ^=^> InLoop' ) 
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The above loop constraints state that the structure may have at most one loop in the 
future and at most one loop in the past. In the case of a cyclic structure, they allow the 
SAT solver to nondeterministically select exactly one of the (possibly) many loops. 

To properly define eventualities, we need to introduce new propositional letters 
{(Q<fo))i, for eacn 01^02 subformula of <P, and for every < i < k + 1. Analo- 
gously, we need to consider subformulae containing the operator 1Z, such as (fiilZfa, 
by adding the new propositional letters ((□0 2 ))»- This is also symmetrically applied 
to S and T, using ■. Then, constraints on these eventuality propositions are quite 
naturally stated as follows. 

Eventuality constraints: 



4> 


Base 


(t>lU<j) 2 


-■<«>02»o A (LoopExists ( |[0i^0 2 ] 
((□0 2 ))o A (LoopExists ( |[0ift0 2 ]| 

-((♦0 2 ))fc A (LoopExists' => ( |[0i<S0 2 
((■0 2 ))fc A (LoopExists' => ( |[0iT 0a] 


k=>((0<h))k)) 
k <= ((□02»fe)) 

|o =►«♦&»<>)) 
o^«B0 2 ))o)) 






i<i<k 


4>iU(j)2 


«O02»i « 


((❖0 2 )) J -iV(InLoo Pl A|[0 2 ]| 4 ) 


4>\H<\>2 


((□02)), <*= 


({□02»i-iA(-InLoop i V|[0 2 ]| i ) 







< i < fc - 1 


4>iS4>2 
4>\T4>2 


({♦^2»i 
((■02)), 


({♦^2»i+iV(InLoop / < A|[0 2 ]|i) 
» ((■0 2 )),+i A (-ilnLoop'j V [02] i) 



The formulae in the following table provide the constraints that must be included in 
the encoding, for any subformula </>, to account for the absence of a forward loop in the 
structure (the first line of the table states that if there is no loop nothing is true beyond 
the fc-th state) or its presence (the second line states that if there is a loop at position i 
then state Sk+i and Si are equivalent). 

Last state constraints: 



Base 


^LoopExists => -i|[0]|fc_|_i 


1 < i < k 





Then, symmetrically to the last state, we must define first state (i.e. time) con- 
straints (notice that in the bi-infinite encoding instant -1 has a symmetric role of instant 
fc+1). 

First state constraints: 



Base 


^LoopExists' =^> -i\[<f>] |-i 


< i < k - 1 





(3) 



The complete encoding of <P consists of the logical conjunction of all above com- 
ponents, together with | [<P] | (i.e. <P is evaluated only at instant 0). 
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3.1 Encoding of the metric operators 

We present here the additional constraints one has to add to the previous encoding, to 
natively support metric operators. We actually implemented also a mono-infinite metric 
encoding in Zot, but for simplicity we are focusing here only on the bi-infinite one. 
Notice that 

(the past versions are analogous). Hence, in the following we will not consider the =t , 
()>t, □ operators, and their past counterparts. 

Ideally, with an unbounded time structure, the encoding of the metric operators 
should be the following one (considering only the future, as the past is symmetrical): 

t 

|[O=*0]U IMIi+t, \P<Mi ^ A IMIw 

Unfortunately, the presence of a bounded time structure, in which bi-infinity is en- 
coded through loops, makes the encoding less straightforward. With simple PLTL one 
refers at most to one instant in the future (or in the past) or to an eventuality. As the 
reader may notice in the foregoing encoding, this is still quite easy, also in the presence 
of loops. On the other hand, the presence of metric operators, impacts directly to the 
loop-based structure, as logic formulae can now refer to time instants well beyond a 
single future (or past) unrolling of the loop. 

To represent the values of subformulae inside the future and past loops, we introduce 
new propositional variables, ((MF(-, •))) for the future-tense operators, and ((MP(-, •))) 
for the past ones. For instance, for ^=5^, we introduce ((MF(ip,j))), < j < 4, 
where the propositions ((MF(ip, j))) are used to represent the value of ip j time units 
after the starting point of the future loop. This means that, if the future loop selector 
is at instant 18 (i.e. hg holds), then ((MF(-0,2))) represents | [V^] 1 20 (i- e - ip at instant 
18+2). Analogously and symmetrically, ((MP(r/», j))) are introduced for past operators 
with argument ip, and represent the value of tp j time units after the starting point of 
the past loop. That is, if the past loop selector is at instant 7 (i.e. 1' 7 ), then ((MP^, 2))) 
represents | [-0] 1 7—2- 

The first constraints are introduced for any future or past metric formulae in <P. 






< j < t - 1 


0=t<£ 

♦=t0 


, ■<t0, 


«MF(0,j))) 4 
«MP«>,j)» 
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We now provide the encoding of every metric operator, composed of two parts: the 
first one defines it inside the bounded portion of the temporal structure (i.e. for instants 
i in < i < k), and the other one, based on MF and MP, for the loop portion. 
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The most complex part of the metric encoding is the one considering the behavior 
on the past loop of future operators, and on the future loop of the past operators. First, 
let us consider the behavior of future metric operators on the past loop. 



< i < k - 1 



A P^ m \ i+i ^ |[</>]| mod( ^ M+1) )A 
t /«MF(0,i + j-fc-l)» ^= ' 



0= 



□ 



0<t<f> 
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V \Aj=0 ( InLoo Pmm(fc,i+*-j)V|[0]|j) 

InLoop,^ i wm in^,t-i), t t ' a iu.il ^ 



J mm(k, i+t — j) 

(6) 

The main aspect to consider is the fact that, if l\ (i.e. the past loop selector variable 
holds at instant i), then i has two possible successors: i + 1 and 0. Therefore, if N ) = 40 
holds at i (which is inside the past loop), then must hold both at i + 4, and at 3. This 
kind of constraint is captured by the upper formula for 0=t^> which relates the truth 
values of <f> m instants outside of the past loop (i.e., |[0]|i+j) with the instants inside 
(i.e., | [<f>] |mod(j-i,i+i) represents the value of <fi at instants going from to i, if l\ holds). 

Another aspect to consider is related to the size of the time constant used (i.e. t in 
this case). Indeed, if i + t > k, then we are considering the behavior of (f> outside the 
bound 0..k. This means that we need to consider the behavior of 4> also in the future 
loop, hence we refer to ((MF(</>, i + j — k — 1))) (see the lower formula for 0=*^)- 

As far as □<(</?> is concerned, its behavior inside the past loop is in general expressed 
by two parts. The first one considers (j) inside the past loop, starting from instant i 
and going forward, towards the right end of the loop (i.e. where I' holds, say i'). This 
situation is covered by the upper formula for If i + t is still inside the past loop 

(i.e. i + t < i'), this suffices. If this is not the case, we must consider the remaining 
instants, going from i' + 1 to i + t. Because we are considering the behavior inside the 
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past loop, the instant after i' is 0, so we must translate instants outside of the loop (i.e. 
where InLoop' does not hold), to instants going from to i + t — i' — 1: in all these 
instants must hold. This constraint is given by the lower formula for □ <(</>. 
The encoding for the past operators is symmetrical, and is the following: 



The actual implementation of the metric encoding contains some optimizations, not 
reported here for the sake of brevity, like the re-use, whenever possible, of the various 
((MF(-, •))), and ((MP(-, •))) propositional letters. 

A first assessment of the encoding The behavior of the new encoding has been 
first experimented on a very simple specification of a synchronous shift-register, where, 
at each clock tick, an input bit is shifted of one position to the right. A specification of 
this system can be described by the following formula: 



where in is true when a bit enters the shift register, out is true when a bit "exits" the 
register after a delay d (a constant representing the number of memory bits in the regis- 
ter). The Zot toolkit has been applied to this simple specification, using the nonmetric, 
PLTL-only encoding (i.e. the one presented in [13]) and the new metric encoding. 

The implemented nonmetric encoding is the one presented in the current section, 
without the metric part of Sub-section 3.1. In practice, this means that every metric 
temporal operator is translated into PLTL before applying the encoding, by means of its 
definition of Section 2. 

The experimental results (with the same hardware and software setup described in 
Section 4.1 are graphically shown in Figure 2, where Gen represents the generation 
phase, i.e., the generation of a boolean formula in conjunctive normal form, starting 
from the above specification, and SAT represents the verification phase, performed by 
a SAT solver, with a bound k = 400 and various values of delay d (from 10 to 150). 
The first two upper diagrams show the time, in seconds, for Gen and SAT phases, using 
either a PLTL encoding or the metric encoding, as a function of delay d, while the third 
upper diagram shows the speedup, as a percentage of speed increase over the PLTL 
encoding, when using the metric encoding, again as a function of delay d. As one can 
see, the speed up obtained for both the Gen and SAT phases is proportional to delay d, 
and can be quite substantial (up to 250% for SAT and 300% for Gen phases). The three 
lower diagrams report, in a similar way, on the size of the generated boolean formula, 



1 < i < k 
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in terms of the thousands of variables (Kvar) and clauses (Kcl): the reduction in the size 
of the generated encoding increases with the value of d and tends to reach a stable value 
around 60%. 

These results can be explained by comparing the two encodings. In the previous, 
non-metric encoding the formula (} = dOut is translated into d nested applications of the 
next-time operator, o d out, hence there are d + 1 subformulae, o l out for < i < d. 
For each of these the encoding procedure generates k + 2 boolean variables, k last 
state constraints of type (2), k first state constraints of type (3), and k + 2 temporal 
subformulae constraints of type (1) for a total of (d + 1) • (k + 2) variables and (d + 
1) • (3 ■ k + 2) constraints. In summary, in the nonmetric encoding we have 0(d ■ k) 
variables and 0(d ■ k) constraints. On the contrary, in the metric encoding of (} = dOut 
there are only two subformulae, (} =c iout itself and out. Now the encoding procedure 
generates 2 ■ (k + 2) variables, plus 2 • d MF variables (see equation 4), for a total of 
2 • (rf + k + 2) variables. It also generates 4 • k first and last state constraints of type (2) 
and (3), k constraints of type (5) plus d constraints of type (4), each of these having size 
O(k), and k constraints of type (6) having size 0(d); overall, we have therefore 4- k + d 
constraints, and their total size is significantly smaller that in the nonmetric encoding, 
though it is still 0(d ■ k). Thus in the metric encoding we have 0(d + k) (less than in 
the nonmetric case) variables and 0(d ■ k) constraints (same as in the nonmetric case 
but with a smaller constant factor). The analysis of the other metric temporal operators, 
□ <t</> and §<t4>, leads to similar conclusions. 




Fig. 2. Summary of experimental data for the synchronous version of a Shift Register. 
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4 Experimental results 

First we briefly describe the five case studies that we adopted for our experiments. For 
all of them we provide both a descriptive and an operational model. A complete archive 
with the files used for the experiments, and the details of the outcomes, can be found in 
the Zot web page at http://home.dei.polimi.it/pradella/. 

Real-time allocator (RTA) This case study, described in [15], consists of a real- 
time allocator which serves a set of client processes, competing for a shared resource. 
The system numeric parameters are the number of processes n p and the constants T req 
within which the allocator must respond to the requests, and the maximum time T rd 
that a process can keep the resource before releasing it. In our experiments, both a 
descriptive and an operational model were considered, using three processes, and with 
two different system settings for each version: a first one with T re i = T req = 3, and 
a second one with T re i = T req = 10. We first generated a simple run of the system 
(Property Sat); then we considered four hard real time properties, described in [15], 
called Simple Fairness, Conditional Fairness, Precedence, and Suspend Fairness. It is 
worth noticing that the formula specifying Suspend Fairness includes a relatively high 
time constant (T re i ■ n p ) and is therefore likely to benefit from the metric encoding. 
We adopted the bi-infinite encoding for this case study, which allowed to consider only 
regime behaviors, thus abstracting away system initialization. 

Fischer's protocol (FP) FP [9] is a timed mutual exclusion algorithm that allows 
a number of timed processes to access a shared resource. We considered the system in 
two variants: one with 3 processes and a delay 5 t.u.; the other one with 4 processes and 
a delay of 10 t.u. We used the tool to check the safety property (i.e. it is never possible 
that two different processes enter their critical sections at the same time instant) and to 
generate a behavior in which there is always at least one alive process. We adopted the 
bi-infinite encoding, for reasons similar to those already explained for RTA case study. 

Kernel Railway Crossing (KRC) This is a standard benchmark in real time sys- 
tems verification [7], which we used and described in a previous work [15]. In our 
example we adopted a descriptive model and studied the KRC problem with two sets 
of time constants, allowing a high degree of nondeterminism on train behavior. In par- 
ticular, the first set of constants was: duax = 9 and d min = 5 t.u. for the maximum 
and minimum time for a train to reach the critical region, huax — 6 and h min = 3 for 
the maximum and minimum time for a train to enter the critical region once it is first 
sensed, and 7 = 3 for the movement of the bar from up to down and vice versa. The set 
of time constants for the second experiment was duax — 19, d m i n — 15, liMax = 16, 
hmin = 13, and 7 = 10. For each of the two settings we proved both satisfiability of 
the specification (Sat) and the safety property, using a mono-infinite encoding. 

Tinier Reset Lamp (TRL) This is the Timer Reset Lamp first presented in [15], 
with three settings (A = 10, A = 15, and A = 20) and two analyzed properties (the 
first one, that the lamp is never lighted for more than A t.u.: it is false, and the tool 
generates a counter-example; the second one, namely that the lamp can remain lighted 
for more than A t.u. only if the ON button is pushed twice within A t.u., is true). This 
system was analyzed with a bi-infinite encoding. 

Asynchronous Shift Register (ASR) The simplest case study is an asynchronous 
version of the Shift Register example discussed in Section 3, where the shift does not 
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occur at every tick of the clock, but only at a special, completely asynchronous Shift 
command. We consider two cases, with the number of bits n = 16 and n = 24, and 
we prove satisfiability of the specification and one timed property (if the Shift signal 
remains true for n time units (t.u.) then the value In which was inserted in the Shift 
register at the beginning of the time interval will appear at the opposite side of the 
register at the end of the time interval). This case study was analyzed with reference to 
a bi-infinite encoding. 

4.1 Results 

The experiments were run on a PC equipped with two XEON 5335 (Quadcore) pro- 
cessors at 2.0 Ghz, with 16 GB RAM, running under Gentoo X86-64 (2008.0). The 
SAT-solver was MiniSat. The experimental results are shown in Table 1. The suffix - 
de indicates analysis carried out on the descriptive version of the model, while -op is 
used for the operational version. The table reports, for various values of the bound k 
(30, 60, and 90), both Generation time, i.e., the time in seconds taken for building the 
encoding and transforming it into conjunctive normal form, and SAT time, i.e., the time 
in seconds taken by the SAT solver to answer. Only the timings of the metric version 
is reported, since the ones of the non-metric version can be obtained by the following 
speed up measures. Performance is gauged by providing three measures of speed up 
as a percentage of the time taken by the metric version (e.g., 0% means no speed-up, 
100% means double speed, i.e., the encoding is twice as fast, etc.): T?II j;" i '" 1 " , where 
^metric and T PLTL represent the time taken by the metric and the PLTL encodings, re- 
spectively. The first measure shows the speed up in the generation phase, the second in 
SAT time and the third one in Total time (i.e., in the sum of Gen and SAT time). On 
average, the speed up is 42,2% for Gen and 62,2% for SAT, allowing for a 47,9% speed 
up in the total time. The best results give speed up of, respectively, 224%, 377% and 
231%, while the worst results are -7%, -34% and -16%. 

Speed up for SAT time appears to be more variable and less predictable than the one 
for Gen time, although often significantly larger. This is likely caused by the complex 
and involved ways in which the SAT algorithm is influenced by the numerical values 
of the k bound, of the time constants in the specification formulae and by their inter- 
action, due to the heuristics that it incorporates. For instance, the speed up for Gen 
increases very regularly with the bound k, because of the smaller size of the formula 
to be generated, while SAT may vary unpredictably and significantly with the value of 
k (e.g., compare property op-P2 for TRL-10, when the speed up increases with k, and 
TRL-20, when the speed up actually decreases with k). A thorough discussion of these 
aspects is out of the scope of the present paper, also because they may change from one 
SAT-solver to another one. 

It is easy to realize, as already noticed in Section 3 for the example of the syn- 
chronous shift register, that significant improvements are obtained, with the new metric 
encoding, for analysing Metric temporal logic properties with time constants having a 
fairly high numerical value. The larger the value, the larger the speed up. This is partic- 
ularly clear for TRL, RTA and FP case studies. 

The fact that the underlying model was descriptive or operational may have a sig- 
nificant impact on verification speed, but considering only the speed up the results are 
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153% 


TRL-20-op 


Pl 


1,4 


3,1 


5,1 


0,4 


1,1 


2,1 


67% 


67% 


64% 


122% 


145% 


157% 


79% 


88% 


92% 




p2 


1,8 


3,8 


6,3 


0,6 


2,5 


8,5 


104% 


134% 


143% 


242% 


226% 


84% 


140% 


170% 


109% 


ASR-24-de 


Sat 


11,3 


31,3 


59,4 


14,6 


31,4 


67,9 


3% 


-1% 


-1% 


-4% 


0% 


-1% 


-1% 


0% 


-1% 




Prop 


12,7 


33,8 


64,0 


9,8 


34,4 


78,5 


22% 


31% 


35% 


41% 


38% 


30% 


31% 


35% 


32% 


ASR-24-op 


Sat 


1,9 


4,4 


6,9 


1,7 


1,9 


3,7 


0% 


-7% 


-1% 


-1% 


-1% 


-1% 


0% 


-5% 


-1% 




Prop 


2,5 


5,9 


9,4 


1,0 


3,2 


5,7 


68% 


73% 


92% 


118% 


125% 


168% 


83% 


92% 


121% 


ASR-16-de 


Sat 


6,7 


17,6 


33,2 


4,6 


15,7 


33,4 


0% 


2% 


2% 


0% 


0% 


0% 


0% 


1% 


1% 




Prop 


7,4 


20,0 


36,4 


5,1 


18,3 


40,3 


22% 


25% 


28% 


34% 


31% 


27% 


27% 


28% 


27% 


ASR-16-op 


Sat 


1,4 


3,0 


5,0 


0,7 


1,3 


2,4 


-2% 


7% 


2% 


3% 


6% 


3% 


0% 


6% 


2% 




Prop 


1,9 


4,2 


6,9 


0,7 


2,1 


3,7 


57% 


67% 


69% 


94% 


97% 


131% 


67% 


77% 


90% 



Table 1. Summary of collected experimental data. 
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much more mixed. For instance, the operational versions of FP and KRC, although 
more efficient, had a worse speed up than their corresponding descriptive cases, while 
the reverse occurred for the operational versions of RTA, ASR and TRL. The only ex- 
ception is for the Sat case, where no property is checked against the model, and hence 
no gain can be obtained for the operational model. A decrease in benefit for certain 
descriptive models may be caused by cases where subformulae in metric temporal logic 
with large time constants are combined with other non-metric subformulae. 

The measure of the size of the generated formulae is not reported here, but it is worth 
pointing out that, thanks to the new metric encoding, the size is dramatically reduced 
when there are high time constants and/or large k bounds. In fact, in the previous, non- 
metric encoding, size is proportional to the product of the k bound and the numerical 
value of time constants, while in the new, metric encoding size is only proportional to 
their sum. 

5 Conclusions 

In this paper, a new encoding technique of linear temporal logic into boolean logic 
is introduced, particularly optimized for managing quantitative future and past metric 
temporal operators. The encoding is simple and intuitive in principle, but it is made 
more complex by the presence, typical of the technique, of backward and forward loops 
used to represent an ultimately periodic infinite domain by a finite structure. 

We have shown that, for formulae that include an explicit time constant, like e.g., 
O=t0, the new metric encoding permits an improvement, in the size of the generated 
SAT formula and in the SAT solving time, that is proportional to the numerical value 
of the time constant. In practical examples, the overall performance improvement is 
limited by other components of the encoding algorithm that are not related with the 
value of the time constants (namely, those that encode the structure of the time domain, 
or the non-metric operators). Therefore, the gain in performance can be reduced in the 
less favorable cases in which the analyzed formula contains few or no metric temporal 
operators, or the numerical value of the time constants is quite limited. 

An extensive set of experiments has been carried out to asses its feasibility and 
effectiveness for Bounded Model Checking (and Bounded Satisfiability Checking). Av- 
erage speed up in SAT solving time was 62%. The experimental results show that the 
new metric encoding can successfully be applied when the property to analyze includes 
time constants with a fairly high numerical value. 

Acknowledgements: We thank Davide Casiraghi for his valuable work on Zot's 
metric plugins. 
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Appendix: a Mono-infinite Encoding 

In some sense, the mono-infinite encoding of PLTL is simpler, since there is only the 
forward loop to be taken into account. On the other hand, being the temporal structure 
mono-infinite, it is possible to refer to time instants before (e.g. by using • at instant 
0). The typical approach (see e.g. [2]) is to use a default value for operators referring 
to instants outside the temporal domain: in our case, »<f> at is false for any <f>. Because 
of this, it is necessary to introduce a dual operator for representing the negation of •, 
which we will denote by •'. Its semantics is given by the following formula: 

•4> <=> -i •' -^4>. 

Next, we present the constraints of Section 3, modified for a mono-infinite time 
structure. 

Propositional constraints, with p denoting a propositional symbol: 



4> 


< i < k 


V 




\\p]\i P6 Si 


->p 




|hp]|i <=> P^S, 


4>i A <; 


*2 


\[4>i A \[Mi*\[<h]\i 




f>2 





Temporal subformulae constraints: 





0<i<k 


°4>i 




IN 


h]U |[0i] 


i+l 




(j>{U4>2 






IWIiV(|M| 


iA|[0iW0a] 


i+l) 








IW|iA(|M| 


j V | [01^0 2 ] 


U+i) 


<P 






1 < i < k + 1 






•4>i 






>l]li l[01] 


,-1 




•'<h 




![•'< 




1,-1 




<j>\S<j>2 


\[<hS<h]\i 




|[02]|iV(|[^]| 


i A |[0i«S0 2 ] 


i-l) 


4>lT<t>2 








jV|[0iT^2] 


li-l) 



Loo/? constraints: 



Base 


— iZq A ^InLoop 


1 < i < fc 


(InLoop i _ 1 = 


5fe) A (InLoopi 
4> -i/j) A (LoopExists 


InLoop^! V k) 
^> InLoop fe ) 



Eventuality constraints: 



4> 


Base 


(f>\U<j)2 

4>iR-4>2 


-■(«>02»o A (LoopExists ( | 
((□02»o A (LoopExists ( |[< 


[0lW^2]|fe ^ «O02»fc)) 
((°02»fe)) 






I < i < k 


<j>\U<j)2 


«0fc»i * 


((❖02» J -iV(InLoop l A|[0 2 ]| l ) 


<t>\Tl(j>2 


<*= 


=> ({□02»i-iA(-.InLoop i V|[0 2 ]|i) 
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Last state constraints: 



Base 


^LoopExists => ->\[4>]\k+i 


1 < i < k 





First state constraints: 






atO 


01<S02 


|[0i50 2 ]| o 


|[0 2 ]|o 


0lT0 2 


|[0iT0 2 ]| o 


|[02]|O 


•01 


-|[-0i]|o 




•'01 


|[-'0i]|o 





Encoding of the metric operators 



As before with the yesterday operator, for the mono-infinite encoding of metric tem- 
poral operators we have to define, for all the metric past operators, their duals w.r.t. 
negation. Following the same notation used before, we will call M'^ t the dual of M^ t , 
and the dual of ■ 

By default, M^t, 4~t are assumed to be false when referring to time instants before 
0, where W^ t , are assumed to be true. 

The semantics of the metric past dual operators is given by the following formulae: 

■=*</> +=t<t> -*U- , -"U-0, 

Next, we present the constraints of Sub-section 3.1, modified for a mono-infinite 
time structure. 
Metric constraints: 






o < j < t - 1 


O=t0, n< t 0, <>< t 


«MF(0,j))) ^ Vtl^ A IMI,+mod(,,fc- i+ l) 



Temporal subformulae constraints: 
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1 [♦'<**] lo 
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■< t 0"< t ' 

♦ <t0 4<t0 - 

♦<*0 ♦< t ' 



\[4>]\i-t 



1-3 
i-3 



A=i 

vLlMlw 

aUimiw 
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Past in Loop constraints: 
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